The Insider Threat: Considerations & Solutions for Gaming

Penetration Testing (Pen Testing) is a crucial cybersecurity practice where ethical hackers identify system vulnerabilities to preempt malicious attacks. However, despite its importance, it's often under-utilized due to factors like limited resources and lack of awareness. Beyond Pen Testing, less discussed but equally critical issues like social engineering and internal fraud also pose significant threats in the cybersecurity landscape. We call this the internal threat because it involves your employees who are on the inside. 

The Ponemon Institute, a research center dedicated to privacy, data protection, and information security policy, released a report for 2022 on insider threats for corporations. 

Social engineering can also involve physical deception, which includes trespassing or impersonation to gain unauthorized access to restricted areas. For example, I have posed as a maintenance worker, IT, and a delivery person to bypass security controls. Once inside, I was able to access confidential files, plant simulated malicious software, and I have even gained access to a cash cage at a prominent Las Vegas property. It's crucial to understand that social engineering doesn't rely on hacking into systems or using advanced technology; it hinges on exploiting the most vulnerable element in the chain - the human element. As human beings it’s hard for us to challenge other people, especially when they look trustworthy and look as if they belong. 

Attackers and security companies can utilize a practice we call Open-Source Intelligence Gathering. Essentially, it is the process of collecting and analyzing information from publicly available sources to assist in intelligence operations. OSINT activities tap into a range of public data sources - including social media, public government data, newspapers, digital maps, and the dark web among others. This information, when systematically collected and appropriately analyzed, can provide crucial insights into potential vulnerabilities, threat landscapes, and the tactics, techniques, and procedures (TTPs) of potential attackers. 

Take the below as an example of OSINT that I have conducted in the past against a gaming organization successfully:

• Knowledge. Taking the target’s property address as I learned they had recently moved into their new location and had only been there for less than a month. Taking their address, I found the previous tenant that occupied the building. With that information, I was able to contact the previous tenant and find out who their previous internet provider was.
• From here on out things were simple. While there was more information I gathered, this was enough for me. I approached the building in uniform of the previous tenant’s internet company, $20 shirt on the internet, and politely explained that the previous company had not disconnected their internet yet and I needed to get the equipment and disconnect them.
• My story, confidence, and politeness were plausible to gain access unattended. As stated before, we tend to want to trust people and not challenge them. With the information I provided, this re-enforced this behavior even more. 

Social engineering attacks will usually pivot to credential stealing, financial fraud, ransomware, and most of the common problems we are all familiar with. 

By being aware of these tactics, employees can become the first line of defense in an organization's security strategy. But education not only comes in slides and presentations but must be put to the test. Think of it as a vaccination. The more you put your employees to the test the stronger they become. Without constant practice we can become complacent with everyday affairs and too relaxed. I have seen that most organizations fail the first time and as an ethnical hacker and cybercrime defender, I do make it a point to educate them - to ask them to treat it as a learning experience. To succeed, one must set steps in place for how to remediate and correct it in the event it happens in the future. That’s why it’s critical to be proactive, to do the proper planning, and to be educated.

This is not an unknown topic in the gaming industry but happens more often than most realize. Due to most gaming casinos not being a publicly traded company on the exchange they do not have to report it. In the case of publicly traded organizations, they are not usually required to report it by the SEC unless material events are those that could affect a reasonable investor's decision to buy, hold, or sell a company's securities.

Let’s dive into an example that I’ve experienced many times during my investigations in the past with slot machines and table games. The usual suspects with the cases that I have been involved in over the years are most often the techs. From anywhere between an unknown amount to the sum of over 5 million dollars. But consider that they are not the only point of risk, and I am using them as this one example as this risk extends to all departments from accounting to casino management. Even patrons have exploited gaming in the hundreds of thousands of dollars.

Such as in the corporate world the formula is the same. Motive, access, and ease. Motive is usually financial. Access is how much access one has to financials and finally how easy is to get away with.

My past investigations have revealed everything from the discovery of foreign devices found attached to networks and gaming equipment, tricks used such a fishing line attached to 100-dollar bills (while having internal access to the machine), manipulation of wires and electrical systems inside machines, and even back end financial database manipulation.

Advancements in technology have brought about remarkable changes, among which are the miniaturization of computers and the extensive accessibility to public information. Computers have evolved from bulky machines to sleek, pocket-friendly devices with immense computational capabilities. This transition has not only made computing widely available to the masses but has also opened the risk of misuse.

Simultaneously, data and its easy availability on the internet has created an information age where almost anyone can access a wealth of knowledge with just a few clicks. With the introduction of a mass amount of AI tools, the gathering of intelligence has increased tenfold. While this has undeniably spurred innovation and collaboration on an unprecedented scale, it has also presented malevolent actors with a new landscape for exploitation.

Combining this and knowledge of internal processes of gaming, data access, and how the machines work eventually leads to discovered holes in the system. Sometimes even by accident.

Several effective strategies exist for combating fraud, particularly within the gaming industry. Regular audits of financials, processes, and personnel are critical to maintaining security. Financial audits should encompass a detailed comparison of current metrics with historical game data and vendor-supplied statistics, providing a comprehensive analysis of your financial hold from the floor or online gaming.

Although pre-employment background checks are a standard procedure, one should not overlook the possibility of a first-time offense. Therefore, consistent background checks, including financial checks where permissible, should be integral to your operation's security procedures.

Implementing a robust Governance, Risk Management, and Compliance (GRC) policy is also crucial. Such a policy minimizes potential risks by regulating machine and data access, among other factors.

Lastly, consider engaging third-party auditors to validate your security measures. An external audit not only verifies your internal control efficacy but provides an unbiased perspective on adherence to your established processes. This multi-pronged approach can significantly enhance your ability to combat potential fraud.